66.132.153.121

Summary (Bottom Line Up Front)

A US-based threat actor (66.132.153.121) conducted a sustained SMB-focused attack campaign from March 4-14, 2026, demonstrating characteristics consistent with Advanced Persistent Threat (APT) operations. The actor achieved a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity across multiple victim networks. Immediate SMB hardening and network segmentation are recommended.

SMB TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto

SMB

Activity Timeline

INITIAL REPORT2026-03-14T17:34:15Z

Source: batch_hunting

Technical details

The threat actor operated from IP address 66.132.153.121 over an 11-day period (March 4 15:00 - March 14 15:00, 2026), generating 71 security events across 2 unique destination ports. Primary attack vectors included legacy SMB protocol exploitation, specifically targeting SMBv1 implementations. The actor utilized multiple protocols (SMB, TCP, TLS 1.0/1.2+) suggesting sophisticated reconnaissance and lateral movement capabilities. Attack patterns align with MITRE ATT&CK techniques T1021.002 (Remote Services: SMB/Windows Admin Shares) and T1083 (File and Directory Discovery). Key IOC: 66.132.153.121 with confirmed SMBv1 exploitation attempts.

IOCs

IP:66.132.153.121

COUNTRY:US

Recommendations

Immediately block IP address 66.132.153.121 at network perimeter and internal firewalls
Disable SMBv1 protocol across all Windows systems and network-attached storage devices
Implement network segmentation to isolate critical file shares from general user networks
Deploy enhanced monitoring for SMB traffic anomalies, particularly legacy protocol usage
Conduct immediate audit of SMB shares for unauthorized access or file modifications during the March 4-14 timeframe